I stumbled upon this, fumbling around with dig as well; having already set-up my nameservers to only allow recursive queries from local hosts, and only authoritative zones to be queryable for all. I thought I was one of few who knew of this technique (barring Dan Bernstein), so I submitted the exact same concept to bugtraq, though only that of the norec variety, around the same time you made your paper, and it wasn't accepted to the list. So now I'm frustrated.:)
Of course, I was not nearly as in depth and analytical as you were, and you came up with some new methods that I hadn't yet thought of. Good job on the paper.
Re:Well known problems, mitigation long overdue
on
Examining ICMP Flaws
·
· Score: 2, Informative
Using ICMP redirect messages to arrange MITM attacks was also an old one, but I don't think that most stacks pay attention to redirect any more.
Most stacks do not accept redirects that didn't come from their default route. However, there is still a very similar un-patched vulnerability in Windows 95 through XP, though 2000 & XP are only partially vulnerable.
And you expect this to accomplish what? Spoofing is not required to send an unreachable, unless you're implying that the header inside the ICMP packet be checked?
Slashdot Mirror
I stumbled upon this, fumbling around with dig as well; having already set-up my nameservers to only allow recursive queries from local hosts, and only authoritative zones to be queryable for all. I thought I was one of few who knew of this technique (barring Dan Bernstein), so I submitted the exact same concept to bugtraq, though only that of the norec variety, around the same time you made your paper, and it wasn't accepted to the list. So now I'm frustrated. :)
Of course, I was not nearly as in depth and analytical as you were, and you came up with some new methods that I hadn't yet thought of. Good job on the paper.
Most stacks do not accept redirects that didn't come from their default route. However, there is still a very similar un-patched vulnerability in Windows 95 through XP, though 2000 & XP are only partially vulnerable.
And you expect this to accomplish what? Spoofing is not required to send an unreachable, unless you're implying that the header inside the ICMP packet be checked?